📅 Original date posted:2022-03-23 📝 Original message: On 22.03.2022 15:10, ...

David A. Harding [ARCHIVE] /

npub16dt…4wrd

2023-06-09 13:05:36

in reply to nevent1q…cr27

📅 Original date posted:2022-03-23
📝 Original message:
On 22.03.2022 15:10, Olaoluwa Osuntokun wrote:
> ### Should the proof+verification strongly bind to the LN context?
> Today, nodes use the two bitcoin keys and construct a p2wsh
> multi-sig script and then verify that the script matches what has been
> confirmed on chain. With taproot, the output is actually just a single
> key. So if we want to maintain the same level of binding (which makes
> it
> harder to advertise fake channels using just a change output have or
> something), then we'd specify that nodes reconstruct the aggregated
> bitcoin public
> key

I think there's a significant difference between P2WSH and P2TR that's
not being considered here. With P2WSH, if I want to fake the creation
of a channel by making my change outputs OP_CMS(2-of-2) with myself, I
pay for that deception by incurring extra fee costs at spend time due to
the need to provide more witness data over plain single-sig. With
P2TR/MuSig2,
I can make my change outputs MuSig2(2-of-2) with myself without
incurring
any additional onchain spend costs.

In short, I don't believe that you can maintain the same level of
binding-to-LN-usage currently provided by P2WSH when P2TR keypath
spends are allowed.

Thanks,

-Dave

Author Public Key

npub16dt55fpq3a8r6zpphd9xngxr46zzqs75gna9cj5vf8pknyv2d7equx4wrd

Show more details

Published at

2023-06-09 13:05:36

Kind type

1 Short Text Note

Event JSON

{ "id": "f553caee53d197e6c52a44515f22fa3b8e3d2d473cbd5efc4870a6a969d8068c", "pubkey": "d3574a24208f4e3d0821bb4a69a0c3ae842043d444fa5c4a8c49c369918a6fb2", "created_at": 1686315936, "kind": 1, "tags": [ [ "e", "419acf3f070d6ca83161dbf976fadb6b16d7e209ce13dcb1aef6e54afa4692f4", "", "root" ], [ "e", "36bf51fd36a6ab9dabc53a35893aa96582ded3c545fb4489fd58ef4d807cf06f", "", "reply" ], [ "p", "2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476" ] ], "content": "📅 Original date posted:2022-03-23\n📝 Original message:\nOn 22.03.2022 15:10, Olaoluwa Osuntokun wrote:\n\u003e ### Should the proof+verification strongly bind to the LN context?\n\u003e Today, nodes use the two bitcoin keys and construct a p2wsh\n\u003e multi-sig script and then verify that the script matches what has been\n\u003e confirmed on chain. With taproot, the output is actually just a single\n\u003e key. So if we want to maintain the same level of binding (which makes \n\u003e it\n\u003e harder to advertise fake channels using just a change output have or\n\u003e something), then we'd specify that nodes reconstruct the aggregated \n\u003e bitcoin public\n\u003e key\n\nI think there's a significant difference between P2WSH and P2TR that's\nnot being considered here. With P2WSH, if I want to fake the creation\nof a channel by making my change outputs OP_CMS(2-of-2) with myself, I\npay for that deception by incurring extra fee costs at spend time due to\nthe need to provide more witness data over plain single-sig. With \nP2TR/MuSig2,\nI can make my change outputs MuSig2(2-of-2) with myself without \nincurring\nany additional onchain spend costs.\n\nIn short, I don't believe that you can maintain the same level of\nbinding-to-LN-usage currently provided by P2WSH when P2TR keypath\nspends are allowed.\n\nThanks,\n\n-Dave", "sig": "02b2eb21cf23641891903b5d9b9a1b13de9321b19b2467aaa2cb18f772e656e496d3c283236d355d14d850c26f5580f3aa71fa53ab0cb1baf3b7bf33ecdcccdd" }